It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How to remove or modify Confluence X-Frame-Options response header?


my current Confluence 5.8.15 / TomCat 8 instance seems to add a "X-Frame-Options: SAMEORIGIN" header to all responses. How can I disable or modify this behavior? (please no security discussion wink)

2 answers


behavior seems to be related with the option:

antiClickJackingEnabled c.f.

Because I didn't want to change the default configuration, I rewrote my plugin to use JSONP instead of been loaded within an iframe.

Same issue over here! Since we upgraded to Confluence 5.8.16 we experience an issue that all iFrame integrations do not work anymore. Additionally, we had multiple issues with the new sameorigin policy since we use a Tivoli Access Manager in front of our Tomcat.

Jens, just saw on and from the source in that might help. Please try that, i haven't checked it yet

We had this setting enabled on Confluence 5.8.16 which worked fine. Now, on Confluence 5.8.18 it does not work anymore. I could not find any information on this on the release notes of Confluence, which is very bad :(

We are also experiencing this issue since upgrading Confluence to 5.8.18 and need to find a way for at least one space within our Confluence instance to be able to be viewed through an iframe.  Have either of you had any more luck with this?

Hi Carol!

While we were able to resolve this on Conf 5.8.16 by adding a parameter to JAVA_OPTS on, we had to add this to CATALINA_OPTS on Conf 5.8.18. See:

#Click jacking protection disable

So, if you add this to, iframes will work again!

Thanks for your quick reply, extremely appreciated!  This pointed me in exactly the direction I needed!

In case others need this, here's what I had to do since we are running on Windows using a Windows Service.

Open setting properties for Windows Services via Command Line (an example of how to do this is listed within the link below – remember we are now using tomcat8 instead of 7 when entering the command):

Within the Java Options, add the below line:

An alternate (to Java Options), if you have a web server in front of Tomcat, you can remove these two headers. e.g. in Apache/mod_headers/mod_jk kind of setup to connect Apache to Tomcat add following

<VirtualHost *:80>
        JkMount /* wconfl
        Header unset X-Frame-Options
        Header unset Content-Security-Policy

Header unset should work in other places as well in apache config file, I guess.


Suggest an answer

Log in or Sign up to answer
This widget could not be displayed.
This widget could not be displayed.
Community showcase
Published Apr 09, 2019 in Portfolio for Jira

Portfolio for Jira 3.0 is here!

The wait is over... Portfolio for Jira Server and Data Center 3.0 is now officially here! Platform releases offer Atlassian an opportunity to shift our strategy, make bold predictions about t...

1,307 views 13 25
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you